qianfanocr-document-intelligence

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs the agent to ask the user for the QIANFAN_TOKEN API key and to persist it into /.env as QIANFAN_TOKEN=..., which requires handling and embedding the secret verbatim (high exfiltration risk).

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). This skill explicitly accepts and downloads arbitrary HTTP/HTTPS image and PDF URLs (see SKILL.md "Pass local image paths or image URLs directly to qianfan_ocr_cli.py" and scripts/pdf_to_images.py::download_pdf using urlopen, plus qianfan_ocr_cli.image_source_to_url which sends remote image URLs to the VLM), so untrusted, public third‑party content is ingested and then interpreted by the model as part of the workflow, allowing that content to materially influence parsing, layout decisions, and subsequent tool actions.